Download - Teradata Viewpoint Configuration Guide - Home | Teradata

Teradata Viewpoint Configuration GuideMay 2009
The product or products described in this book are licensed products of Teradata Corporation or its affiliates.
Teradata, BYNET, DBC/1012, DecisionCast, DecisionFlow, DecisionPoint, Eye logo design, InfoWise, Meta Warehouse, MyCommerce, SeeChain, SeeCommerce, SeeRisk, Teradata Decision Experts, Teradata Source Experts, WebAnalyst, and You’ve Never Seen Your Business Like This Before are trademarks or registered trademarks of Teradata Corporation or its affiliates. Adaptec and SCSISelect are trademarks or registered trademarks of Adaptec, Inc. AMD Opteron and Opteron are trademarks of Advanced Micro Devices, Inc. BakBone and NetVault are trademarks or registered trademarks of BakBone Software, Inc. EMC, PowerPath, SRDF, and Symmetrix are registered trademarks of EMC Corporation. GoldenGate is a trademark of GoldenGate Software, Inc. Hewlett-Packard and HP are registered trademarks of Hewlett-Packard Company. Intel, Pentium, and XEON are registered trademarks of Intel Corporation. IBM, CICS, RACF, Tivoli, and z/OS are registered trademarks of International Business Machines Corporation. Linux is a registered trademark of Linus Torvalds. LSI and Engenio are registered trademarks of LSI Corporation. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are registered trademarks of Microsoft Corporation in the United States and other countries. Novell and SUSE are registered trademarks of Novell, Inc., in the United States and other countries. QLogic and SANbox are trademarks or registered trademarks of QLogic Corporation. SAS and SAS/C are trademarks or registered trademarks of SAS Institute Inc. SPARC is a registered trademark of SPARC International, Inc. Sun Microsystems, Solaris, Sun, and Sun Java are trademarks or registered trademarks of Sun Microsystems, Inc., in the United States and other countries. Symantec, NetBackup, and VERITAS are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Unicode is a collective membership mark and a service mark of Unicode, Inc. UNIX is a registered trademark of The Open Group in the United States and other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.
THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROVIDED ON AN “AS-IS” BASIS, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. IN NO EVENT WILL TERADATA CORPORATION BE LIABLE FOR ANY INDIRECT, DIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS OR LOST SAVINGS, EVEN IF EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The information contained in this document may contain references or cross-references to features, functions, products, or services that are not announced or available in your country. Such references do not imply that Teradata Corporation intends to announce such features, functions, products, or services in your country. Please consult your local Teradata Corporation representative for those features, functions, products, or services available in your country. Information contained in this document may contain technical inaccuracies or typographical errors. Information may be changed or updated without notice. Teradata Corporation may also make improvements or changes in the products or services described in this information at any time without notice. To maintain the quality of our products and services, we would like your comments on the accuracy, clarity, organization, and value of this document. Please e-mail: [email protected] Any comments or materials (collectively referred to as “Feedback”) sent to Teradata Corporation will be deemed non- confidential. Teradata Corporation will have no obligation of any kind with respect to Feedback and will be free to use, reproduce, disclose, exhibit, display, transform, create derivative works of, and distribute the Feedback and derivative works thereof without limitation on a royalty-free basis. Further, Teradata Corporation will be free to use any ideas, concepts, know- how, or techniques contained in such Feedback for any purpose whatsoever, including developing, manufacturing, or marketing products or services incorporating Feedback. Copyright © 2008-2009 by Teradata Corporation. All Rights Reserved.
Table of Contents
Starting and Stopping Teradata Viewpoint Services ......................... 6 Teradata System Preparation ........................................................... 7
Create a Teradata User for Data Collection........................................... 7 Set Up Access to Console Utilities ....................................................... 7 Grant Permissions to the Teradata User for Data Collection .................... 8
Configure Viewpoint to Monitor a Teradata Database System .......... 9 Log on to the Teradata Viewpoint Server ............................................. 9 Configure the Viewpoint Server to Monitor Teradata Systems ................. 9 Enable the Data Collectors............................................................... 11 Collector Information ...................................................................... 11
Managed Servers Configuration...................................................... 15 Viewpoint LDAP Configuration........................................................ 16
Control Access to Portlets ................................................................ 28 Control Access Within Portlets .......................................................... 28
Configure Viewpoint to Log to TVI.................................................. 28 Back Up Teradata Viewpoint Databases.......................................... 29
Restore a Teradata Viewpoint Database............................................. 30 Changing the Session Timeout........................................................ 30 Ports Used by Teradata Viewpoint.................................................. 31 Setting Teradata Viewpoint Server Time ........................................ 31 Configure NTP Time Synchronization.............................................. 32 Teradata Viewpoint Clustering ....................................................... 33
Cluster Configurations..................................................................... 33 Failure Scenarios............................................................................ 37 Create a Teradata Viewpoint Cluster ................................................. 40 Add Additional Teradata Viewpoint Servers to the Cluster..................... 45 Promote the Standby Cache Database ............................................... 46 Upgrade PostgreSQL to Enable Clustering .......................................... 47 Additional Considerations ................................................................ 50
Teradata Viewpoint Configuration Guide 4
Configure Teradata Viewpoint SSL Support .................................... 53 Enable Teradata Viewpoint for SSL support ........................................ 53
Teradata Viewpoint Properties ....................................................... 56 Available Properties ........................................................................ 56 Accessing Properties ....................................................................... 58
Client-PC Recommendations........................................................... 61 Recommendations by PC Class ......................................................... 61
Audience This document is intended for Teradata Customer Services, Teradata Professional Services, and customers for configuring Teradata Viewpoint software.
Teradata Viewpoint Server When the Teradata Viewpoint server arrives at the customer site, it should have the necessary software installed and be ready to add Teradata Database systems to monitor and for users to access the portal. The Teradata Viewpoint server is ready if the login screen appears in the browser.
Starting and Stopping Teradata Viewpoint Services Teradata Viewpoint 13.0.1 includes the following separate services:
o viewpoint The Teradata Viewpoint portal which provides web browser access.
o dcs The Data Collection Service which monitors and collects data from Teradata systems.
o tmsmonitor The Teradata Managed Server Monitor which monitors performance of the Teradata Viewpoint server.
Each service has an init script on the Teradata Viewpoint server located in the /etc/init.d directory. The init scripts support the following command arguments:
o start - Starts the service. If the service is already running, a new instance is not started.
o stop - Stops the service. The script succeeds even when the service is not running.
o restart - Stops and starts the service.
o status - Checks if the service is currently running.
For example, to start the Teradata Viewpoint portal, type the following command:
/etc/init.d/viewpoint start
To stop the Teradata Viewpoint portal, type the following command: /etc/init.d/viewpoint stop
To restart the Data Collection Service, type the following command: /etc/init.d/dcs restart
To check if the Teradata Managed Server Monitor is running, type the following command:
/etc/init.d/tmsmonitor status
Teradata System Preparation To monitor a Teradata Database system, Teradata Viewpoint requires a Teradata system login with a set of specific permissions. SQL commands can be used to create a user and grant permissions.
The Teradata user, used by Teradata Viewpoint, must have sufficient spool space to allow Teradata Viewpoint to issue monitoring queries. Also, perm space is required by the Lock Information collector that is used by the Lock Viewer portlet starting with Teradata Viewpoint 13.0.1.
The user can be an existing user. The username and the password is called viewpoint in the following procedures as an example.
Create a Teradata User for Data Collection
Create a Teradata user for Teradata Viewpoint Data Collection.
1. Type the following command, where <perm space> and <spool space> are the respective perm space and spool space to allocate the user: create user viewpoint as perm=<perm space>, spool=<spool space> password=viewpoint;
Set Up Access to Console Utilities
1. Do one of the following:
o If Teradata Manager is not monitoring the target Teradata Database system, type the following command:
create user console as perm=50000, spool=50000, account='$H-remote- console-use', password=console, fallback;
replace macro console.dbscontrol as (;); replace macro console.aborthost as (;); replace macro console.config as (;); replace macro console.checktableb as (;); replace macro dumplocklog as (;); replace macro console.ferret as (;); replace macro console.xgtwglobal as (;); replace macro console.lokdisp as (;); replace macro console.cnscons as (;); replace macro console.schmon as (;); replace macro console.qryconfig as (;); replace macro console.qrysessn as (;); replace macro console.rcvmanager as (;); replace macro console.showlocks as (;); replace macro console.tdwmdmp as (;); replace macro console.vprocmanager as (;);
o If Teradata Manager is monitoring the target Teradata Database system, go to Grant Permissions to the Teradata User for Data Collection on page 8.
Grant Permissions to the Teradata User for Data Collection
Grant permissions to the Teradata user for Teradata Viewpoint Data Collection.
1. Do one of the following:
o If the tdwm database exists on the target Teradata Database system, type the following command, then go to step 2:
grant select on TDWM to viewpoint;
o If the tdwm database does not exist, go to step 2.
2. Type the following commands:
grant monitor to viewpoint;
replace macro console.awtmon as ( ; );
grant exec on console.rcvmanager to viewpoint;
grant exec on console.showlocks to viewpoint;
grant exec on console.vprocmanager to viewpoint;
grant exec on console.tdwmdmp to viewpoint;
Configure Viewpoint to Monitor a Teradata Database System Log on to the Teradata Viewpoint Server
1. Open a browser.
o For Viewpoint 13.0.0, use Microsoft Internet Explorer version 6 or 7, or Mozilla Firefox version 2.
o For Teradata Viewpoint 13.0.1, use Mozilla Firefox version 3.
2. Enter the host name or IP address of the Teradata Viewpoint server.
For example: http://viewpoint
3. Log on to Teradata Viewpoint with the username of admin and the password of teradata (default).
The password can be changed at any time.
Configure the Viewpoint Server to Monitor Teradata Systems
Add a Teradata Database system to the Viewpoint Configuration portlet. Teradata Database systems must be added to the Viewpoint Configuration portlet before you can configure the data collectors to monitor the database.
The following procedure is more fully described in Teradata Viewpoint Help.
1. Click Admin > Configuration.
The TERADATA SYSTEMS view appears.
2. Click Add a System.
3. Enter a SYSTEM NICKNAME (8 characters or less) for the Teradata Database system.
4. [Optional] Select System Enabled to activate the Teradata Database system for monitoring.
5. In the HOST NAME field, enter the name of your Teradata Database system. Typically, this is the cop name.
Using the cop name allows Teradata Viewpoint to connect to multiple gateways.
6. If the cop address is not in the DNS, define it in the HOSTS file located in the /etc/hosts directory on the Viewpoint server.
IP addresses are not recommended unless the system is an SMP. Do not use the Teradata Query Directory host name or IP address.
7. In the LOGIN section, create a user login.
a. Enter a user Name.
b. Enter a Password.
c. [Optional] Enter an Account string to differentiate the user account.
d. Click + to add additional login accounts.
There is no limit to the number of login accounts associated with a Teradata Database system. Multiple logins are useful for running canary queries using a specific user and account string.
The user login must have specific permissions. See Grant Permissions to the Teradata User for Data Collection on page 8.
8. [Optional] In the COLLECTORS section, select the Turn on all collectors with default settings checkbox to enable the default collectors for the new system.
9. In the CHARACTER SET section, set the session and monitor default character sets.
To set the JDBC Flag, you must set both the session character set and the monitor character set to ASCII.
The session character set defaults to UTF8, while the monitor character set defaults to ASCII.
10. Click Apply.
Enable the Data Collectors
Data collection must be enabled for each Teradata Database system you want to monitor.
To enable or disable a Teradata Viewpoint Data Collector, use the Viewpoint Configuration portlet. For more information, see Teradata Viewpoint Help.
The Teradata Viewpoint Data Collection Service (DCS) connects to the Teradata Database system through the customer LAN and accesses the appropriate data sources through the Teradata JDBC driver. Generally, the default values can be used. In fact, using the default values initially and then fine tuning them at a later time is recommended. The set up must still be completed to enable the collectors if the Turn on all collectors with default settings checkbox was not selected while configuring the new system.
Data collection parameters must be set or defaults saved for the following:
o Sessions
Collector Information
Following is a description of each collector, its impact on a Teradata Database system, and how Teradata Viewpoint uses the data collected.
Sessions
Session data is collected by querying the Teradata MONITOR partition using the PM/API. Session-level statistics are collected in memory by Teradata Database at a configurable sample rate. The default option in Teradata Viewpoint collects session data at the same rate as sampled by Teradata Database. Collecting session data more frequently than the session sample rate in Teradata Database will result in duplicate data being collected and wasted CPU. Teradata Performance Monitor (PMON) can be used to change the Teradata Database session sample rate.
My Queries, Filtered Queries, and Query Monitor, generally referred to as the Queries portlets, use session data. The data is also used for the Active Sessions metric in the System Health, Capacity Heatmap, and Metrics Graph portlets. If this collector is not enabled, the Queries portlets always display zero sessions. If this collector is enabled and then disabled, the Queries portlets display stale session data. The Session collector and the System Statistics collector must be enabled for the Active Sessions metric to display data in the System Health, Capacity Heatmap, and Metrics Graph portlets.
Query Count
Query count and query log data are collected by querying the DBQLogTbl and DBQLSummaryTbl tables in the Teradata DBC database. For a query to be counted, it must be logged to either the DBQLogTbl or DBQLSummaryTbl table by enabling query logging in Teradata Database. When enabling query logging, it is important to manage the size of the DBQL tables. Clearing the DBQL tables nightly is recommended. The queries performed by Teradata Viewpoint against DBQL require an all-row scan. If the size of the DBQL tables is not managed, queries against them can cause unnecessary use of Teradata Database resources. Teradata Professional Services has a Data Collection and Capacity Planning offering that includes the movement and cleanup of DBQL data on a nightly basis. If DBQL is not cleaned up nightly, using the Query Count collector is not recommended.
The Productivity portlet uses query count data to show total query counts and query counts by application on an hourly basis. The Today's Statistics portlet also uses the data to show query counts and query log data for the last hour of collected data, grouped by duration. Lastly, the Capacity Heatmap and the Metrics Graph portlets show query count and query log data collected over the hour. The default collection rate for querying DBQL is 1 hour. To get the portlets to show more up-to-date query counts, the collection frequency can be increased, at the cost of using up more Teradata Database resources to query DBQL more frequently.
System Statistics
System statistics data is collected by querying the Teradata MONITOR partition using the PM/API. Physical and virtual resource statistics are collected in memory by Teradata Database at a configurable sample rate. The default option in Teradata Viewpoint collects system statistics data at the same rate as sampled by Teradata Database. Collecting system statistics data more frequently than the resource sample rate in Teradata Database results in duplicate data being collected and wasted CPU. PMON can be used to change the Teradata Database resource sample rate.
For pre-12.0 Teradata Database systems, the System Statistics collector also executes "awtmon -s" through the Teradata CONSOLE partition to collect AMP Worker Task (AWT) usage. The "awtmon -s" command currently only works on MP-RAS systems. No AWT usage data is collected for Windows and Linux Teradata Database systems running a version earlier than 12.0. For Teradata Database 12.0 systems and later, the System Statistics collector queries the Teradata MONITOR partition to collect AWT usage information.
The System Health, Capacity Heatmap, Metrics Graph, and Today's Statistics portlets use the System Statistics collector. If this collector is not enabled, these portlets will not display system statistics data.
Canary Queries
The Canary Queries collector executes user-defined canary queries. A special canary query called the System Heartbeat is used to check whether the Teradata Database system is responsive. The System Health, Canary Response Times, and Productivity portlets use the Canary Queries collector.
System Health
The System Health collector does not collect data from Teradata Database, but depends on the data collected by the System Statistics, Sessions, Space, and Canary Queries collectors. These collectors must be enabled for the System Health portlet to correctly determine a system's health. The System Health and Productivity portlets use the data collected by the System Health collector.
Workload
The Workload collector queries the tdwm database to collect workload IDs and names. The Queries portlets use this data to display the name of the workload associated with a query and to list the available workloads for the Change Workload function.
Account Information
The Account Info collector queries the AccountInfo table in the DBC database and collects a list of account strings. The Queries portlets use this data to list the available account strings for the Change Priority function.
Database Space
The Database Space collector queries the DiskSpace and Databases views in the DBC database to collect database space usage metrics.
The Space Usage, Capacity Heatmap, and Metrics Graph portlets use the data collected by the Database Space collector. If this collector is not enabled, these portlets will not display up-to-date database space data.
Disk Space
The Disk Space collector queries the DiskSpace view in the DBC database to collect disk space usage data.
The System Health, Capacity Heatmap, and Metrics Graph portlets use the data collected by the Disk Space collector. If this collector is not enabled, these portlets will not display up-to-date disk space data.
Table Space
The Table Space collector queries the TableSize view in the DBC database to collect table space usage metrics.
The Space Usage, Capacity Heatmap, and Metrics Graph portlets use the data collected by the Table Space collector. If this collector is not enabled, these portlets will not display up-to-date table space data.
Resource Usage
The Resource Usage collector queries the ResUsageSPMA and ResUsageIPMA tables in the DBC database to collect node resource usage data. The collector also queries the ResUsageSVPR table in the DBC database to collect vproc resource usage data. This data is not displayed by any portlet at this time.
Lock Information
The Lock Information collector uses Locking Logger (a database utility) to capture a snapshot of lock information and stores this data in the PostgreSQL database. The Lock Viewer portlet uses the data collected by the Lock Information collector. Therefore, the portlet only displays updated lock data for the period of time when the collector is enabled.
For the Lock Information collector to run, the LockLogger flag in DBSControl on the Teradata system must be set to TRUE.
Managed Servers Configuration Teradata Viewpoint can be configured to monitor certain system-level metrics for managed servers, including Teradata Viewpoint itself. These metrics include data on CPU usage, memory usage, system load, swap space usage, and I/O activity. Data that is collected from different managed servers can be viewed using the Viewpoint Monitoring portlet.
To set up monitoring of a managed server, install the tmsmonitor RPM on the server you wish to monitor. This package is already installed on Teradata Viewpoint 13.0.1 or later staged systems. To install this package, see Upgrade to Teradata Viewpoint 13.0.1.x on page 63.
After the RPM has been installed and the service started, open the Viewpoint Configuration portlet and follow the steps in this topic to enable Viewpoint to start collecting data on the managed server.
1. From the Viewpoint Configuration portlet, click the MANAGED SERVERS panel.
3. Enter a nickname in the MANAGED SYSTEM NAME field.
This nickname will be used by the Viewpoint Configuration portlet to refer to this managed server.
4. [Optional] Select System Enabled to activate the managed system for monitoring.
5. In the HOSTNAME field, enter either an IP address for the managed system or a host name that will resolve by DNS to the managed system.
If the tmsmonitor service is running on a port other than the default of 8888, also specify the port number in the HOSTNAME field. For example, viewpoint.acme.com:8088.
6. In the LOGIN Name and Password fields, leave the default values unless the login and password for this managed system have been changed to different values.
7. [Optional] Test if the tmsmonitor service is accessible and the login and password are correct:
a. Click Test, located at the bottom of the screen.
b. If the test fails, check the Teradata Viewpoint log file located at: /opt/Teradata/viewpoint/logs/viewpoint.log
8. Click Apply to save the new managed system.
9. [Optional] Select the System Enabled checkbox to immediately begin monitoring of the system.
Viewpoint LDAP Configuration When using LDAP with Teradata Viewpoint, the following methods are used to add user accounts:
o Manually entered without LDAP authentication
o Manually entered with LDAP authentication
o Auto-provisioned with LDAP authentication
When users are auto-provisioned, the administrator does not have to enter their account into Teradata Viewpoint. The first time these users log in to Teradata Viewpoint, they are validated against the LDAP directory. If their credentials are valid, a Teradata Viewpoint account is created for them.
LDAP validation works in conjunction with the Externally Authenticated? flag on the Add User and Modify User dialog boxes in the User Manager portlet. If the Externally Authenticated? check box is selected, the user is authenticated through LDAP when logging in. The Externally Authenticated? check box is automatically selected when a user is created using auto-provisioning.
In Teradata Viewpoint Release 13.0.1, you can use the Viewpoint Configuration portlet to do the following:
o Add and delete an LDAP configuration in Teradata Viewpoint.
o Enable and disable the LDAP after it has been added.
o Use the auto-provisioning feature to automatically add users to Teradata Viewpoint on first login.
o Use the role mapping feature to position the new user in Teradata Viewpoint.
As of Viewpoint 13.0.1, any changes made to the LDAP configuration using the Viewpoint Configuration portlet are automatically applied to Viewpoint. You no longer need to configure LDAP using the server.xml file or restart Viewpoint to apply LDAP configuration changes.
Prerequisites
o The URL of the LDAP server. For example: ldap://ldap.acme.com:389.
o The username and password of a customer user or availability of that user to test the configuration.
Definitions Term Definition Lightweight Directory Access Protocol (LDAP)
Technically an application-protocol, LDAP is frequently used to refer to a directory server such as Microsoft Active Directory or OpenLDAP.
LDAP Data Interchange Format (LDIF)
A standard, plain text data interchange format for representing LDAP directory content and update requests.
Distinguished Name (DN)
The full "path" to a user-entry in LDAP. Every user's DN is, by definition, unique. The DN consists of its Relative Distinguished Name (RDN) constructed from some attribute(s) in the entry, followed by the parent entry's DN. Think of the DN as a full file name and the RDN as a relative filename in a folder. In the following example, the DN is the entire string: cn=joec,OU=NorthAmerica,OU=User Accounts,DC=td,DC=acme,DC=com
Relatively Distinguished Name (RDN)
The part of a DN that distinguishes an entry from others at the same level in the tree.
Term Definition Common Name (CN)
The CN is an attribute of a user-entry that is typically part of the user's DN and very often, but not always, the same value as the user's corporate username. In the following example, the CN is joec. cn=joec,OU=NorthAmerica,OU=User Accounts,DC=td,DC=acme,DC=com
Bind Used for LDAP authentication, binding is an LDAP operation that authenticates a username and a password.
Service Account An LDAP service account is an account (username and password) not associated with a customer user, but existing for the purposes of binding to LDAP to perform a search of the directory. Typically, a service account is required when the DN of an authenticating-user is unknown, and an LDAP search (based on some other attribute of the user-entry such as sAMAccountName) must first be performed to determine the user's DN. After the user's DN has been determined, a normal bind using the user's DN and password is executed.
Viewpoint Authenticator
Also referred to simply as the Authenticator, this is the component of Viewpoint that executes the authentication process against LDAP, among other actions.
log4j.xml The XML file used to configure Viewpoint's log output detail. The full path is: VIEWPOINT_DIR/common/classes/log4j.xml.
viewpoint.log The file where Viewpoint logs messages by default. The full path is: VIEWPOINT_DIR/logs/viewpoint.log.
Before You Begin
LDAP Data Interchange Format (LDIF)
1. Ask the LDAP administrator of the customer for the following:
a. The user-entry details for the customer user in LDIF form.
The following LDIF snippet is an example: dn: cn=joec,dc=User Accounts,dc=acme,dc=com cn: joec givenName: Joe sn: Customer telephoneNumber: +1 888 555 6789 telephoneNumber: +1 888 555 1232 mail: [[email protected]|mailto:[email protected]].com sAMAccountName: customerjoe objectClass: inetOrgPerson memberOf: cn=Sales,ou=Groups,dc=acme,dc=com memberOf: cn=DBA,ou=Groups,dc=acme,dc=com ...
b. At least one other future Viewpoint customer user, preferably in a different region or country.
Determine LDAP Configuration Mode
1. Read the following flowchart to determine which Viewpoint Authenticator configuration mode to use:
o DN pattern bind
o User search w/bind
Is Username in DN?
To bind to LDAP, the Viewpoint Authenticator must know the DN of Joe Customer. When logging in, Joe will present a corporate username, which is usually, but not always, part of the DN. Using the following DN as an example:
cn=joec,dc=User Accounts,dc=acme,dc=com
1. If the corporate username for Joe is joec and the username is in the DN, perform a DN pattern bind.
2. If the corporate username for Joe is customerjoe, that is the sAMAccountName attribute from the LDIF snippet, the username is not in DN. Search the LDAP tree for a user entry where the attribute matches the username value presented by Joe Customer.
3. Proceed to Number of Bind Patterns on page 20.
Number of Bind Patterns
After establishing Joe's DN and verifying the username for Joe is part of the DN string, you will bind to LDAP using the DN and password for Joe. As a reminder, following is the DN for Joe:
cn=joec,dc=User Accounts,dc=acme,dc=com
1. Are all users in Joe's company located at the same Base DN in LDAP? That is, do all user DNs have the following pattern? cn=<<USERNAME>>,dc=User Accounts,dc=acme,dc=com
If yes, the number of bind patterns is 1. Proceed to step 3. However, if users are located at multiple Base DNs, proceed to step 2.
2. If users are located at multiple Base DNs, you will need to get this information from the LDAP administrator for the customer.
For example, at Joe's company, there might be the following users: cn=joec,dc=User Accounts,dc=acme,dc=com cn=janedoe,dc=Contractors,dc=User Accounts,dc=acme,dc=com cn=kaizers,dc=Europe,dc=User Accounts,dc=acme,dc=com
If there are multiple DN patterns, the Viewpoint Authenticator will iterate over each of the patterns until it finds one that matches the username presented. If it does not match, it will fail to authenticate. Therefore, if the number of patterns grows to seven or more, it may be faster to perform a user search.
3. Select one of the following in the LDAP SERVERS panel of the Viewpoint Configuration portlet:
o If there are less than 7 DN patterns, select the DN Pattern Bind option.
o If there are 7 or more DN patterns, select the User Search option.
LDAP Configuration
As of Viewpoint 13.0.1, the Viewpoint Authenticator is configured in the LDAP panel of the Viewpoint Configuration portlet. Attribute Description Basic Configuration Nickname The short name by which this LDAP configuration will be referred to in the
Viewpoint Configuration portlet. This name must be 8 characters or less. Enabled Checked to enable this LDAP configuration as part of the Viewpoint authentication
process. Unchecked to disable this LDAP configuration as part of the Viewpoint authentication process.
Url One or more URLs for this LDAP configuration. The URL should include the appropriate protocol (ldap:// or ldaps://) as well as the port. For example, “ldap://ldap.acme.com:389”. Only enter more than one URL if all of the URLs point to a similarly-configured LDAP server. This might be the case if you have replicated LDAP servers or a failover LDAP server that should be used if the primary one is unreachable.
DN Pattern Bind Pattern The DN pattern(s) to perform the LDAP user bind attempt with. The patterns will
be invoked in the order specified, so it is recommended to put the patterns that will match the most users before those that will match fewer users. For example: "cn={0},OU=User Accounts,DC=acme,DC=com"
User Search Service account DN
The DN of the LDAP service account. The DN should not be surrounded by parenthesis.
Service account password
The password of the LDAP service account specified in the Service account DN field above.
Search pattern The LDAP attribute to match against the presented username when searching for a user-entry. If the cn attribute is the username, then set to (cn={0}). If the sAMAccountName attribute is the username, then set to (sAMAccountName={0}).
Search base The entry that is the base of the subtree containing users. If not specified, the search base is the top-level context. For example: OU=User Accounts,DC=acme,DC=com
Search extent Checked to search the entire subtree rooted at the Search base entry. Unchecked to request a single-level search including only the top level.
Key User Information LDAP first name attribute
The name of the attribute on the LDAP user entry that specifies the first name of the user (given name).
LDAP last name attribute
The name of the attribute on the LDAP user entry that specifies the last name of the user (surname).
LDAP email attribute
The name of the attribute on the user object that specifies the email address of the user.
Attribute Description Auto-Provisioning Turn on auto- provisioning
Set to true to enable auto-provisioning. Set to false to disable auto-provisioning.
Automatically assign these roles
When auto-provisioning is enabled, the newly provisioned user is automatically added to these roles. This attribute is often set to User.
Default email domain
If auto-provisioning is enabled and the email address of the user cannot be determined from LDAP, the new user's initial email address will be created in this domain. Set this to the domain of the customer. For example, acme.com. Usually this attribute does not have to be specified.
Role Mapping Global Settings Group search base The entry that is the base of the subtree containing groups. This field only needs
to be specified if role mappings of type GROUP are used. Group search subtree
Checked to search the entire subtree rooted at the Group search base entry. Unchecked to request a single-level search including only the top level. This field only needs to be specified if role mappings of type GROUP are used.
Group attribute name
The name of the attribute on the LDAP group entry that contains the DNs of the users in the group.
Role Mapping Individual Settings Type Set to ATTRIBUTE to perform a mapping from a LDAP user’s entry value to a
Viewpoint role. Set to GROUP to perform a mapping from an LDAP group to a Viewpoint role.
Attribute name The name of a LDAP attribute in the user's entry that specifies LDAP group and role membership for the purpose of mapping to Viewpoint roles. This setting is only applicable to mappings of type ATTRIBUTE.
LDAP value The value of the attribute specified in the Attribute name field that should be mapped to the role specified in the Viewpoint role field. For more details, see Role-mapping on page 23.
Viewpoint role The role in Viewpoint to which users will be mapped.
Standard Configuration and Testing
The nickname, URLs, name matching (either DN Pattern Bind or User Search), and key user information sections are all part of the standard configuration for Viewpoint LDAP authentication.
After these sections are completed in the Viewpoint Configuration portlet, you can test these settings before saving the changes. Since any changes made to the LDAP configuration are instantly applied to the Viewpoint authentication process, it is highly recommended you test the functionality before saving any changes.
To test the current LDAP configuration, perform the following steps in the LDAP SERVERS panel of the Viewpoint Configuration portlet.
1. Click Test in the SETTINGS TEST section.
2. Enter a username and password exactly as you would if you were logging into Viewpoint.
3. Click Run.
After the test is complete, an icon appears indicating if the authentication against LDAP was successful. If the authentication is successful, details of the test user are displayed in the SETTINGS TEST section. If the authentication was not successful, an error message displays.
Role-mapping
The examples below detail the two different types of role mapping available in Teradata Viewpoint. For both types of role mapping, the following characteristics apply:
o The Viewpoint role being mapped should be created beforehand by the Viewpoint Administrator.
o If a user is mapped into a role and logs out, each role-mapping is re- examined the next time they log in. If they are no longer a member of that LDAP group and role, they will be removed from the mapped Viewpoint role. However, in the time between logging out and logging back in again, they will be listed in Viewpoint as a member of that role.
Example 1
1. Configure the Viewpoint Authenticator to map authenticated LDAP users into Viewpoint roles based on group membership recorded on a user entry. The relevant XML attributes:
As a reminder, following is the LDIF for Joe: dn: cn=joec,dc=User Accounts,dc=acme,dc=com cn: joec givenName: Joe sn: Customer telephoneNumber: +1 888 555 6789 telephoneNumber: +1 888 555 1232 mail: [email protected] sAMAccountName: customerjoe objectClass: inetOrgPerson memberOf: cn=Sales,ou=Groups,dc=acme,dc=com memberOf: cn=DBA,ou=Groups,dc=acme,dc=com ...
The memberOf attribute is used to specify Joe's membership in two groups whose names are specified with a full DN: (cn=Sales,ou=Groups,dc=acme,dc=com and cn=DBA,ou=Groups,dc=acme,dc=com). To map those two groups onto two Viewpoint roles, SALES_ROLE and DBA_ROLE, the XML would be as follows:
First role mapping
o Type: ATTRIBUTE
o Viewpoint role: SALES_ROLE
o Viewpoint role: DBA_ROLE
Example 2
1. Configure the Viewpoint Authenticator to map authenticated LDAP users into Viewpoint roles based on group membership maintained in a static group. A static group is a separate entity in LDAP that maintains its own list of members.
Assume the following is the LDIF for a static group ‘Sales’: dn: cn=sales,dc=Groups,dc=acme,dc=com cn: sales objectClass: groupOfUniqueNames uniqueMember: cn=joec,dc=User Accounts,dc=acme,dc=com uniqueMember: cn=janed,dc=User Accounts,dc=acme,dc=com ...
The uniqueMember attribute is used to specify two members of the group with full DNs of: (cn=joec,dc=User Accounts,dc=acme,dc=com) and (cn=janed,dc=User Accounts,dc=acme,dc=com). To map these two users into the Viewpoint role SALES_ROLE, the configuration would be as follows:
Role mapping global settings
o Group search subtree: (unchecked)
o Group attribute name: uniqueMember
Role mapping
o Viewpoint role: SALES_ROLE
LDAP Over SSL (LDAPS)
For LDAP over SSL (also knows as LDAPS) support, ensure the URL in the Viewpoint Configuration portlet reads ldaps://ldap.acme.com:636. The prefix is ldaps instead of ldap, and the port number is 636 instead of 389.
If the Certification Authority (CA) of the LDAP server is not trusted by the Viewpoint server, use the following procedure to store the CA certificate for the LDAP server into the cacerts keystore on the Viewpoint server.
1. Log in to the Teradata Viewpoint server (Linux) as root.
2. Install the SSL Certificate by typing the following commands:
keytool -import -alias <your_alias> -keystore $JDK5_64_HOME/jre/lib/security/cacerts -trustcacerts -file <your_certificate_filename>
Refer to the Java keytool command documentation for additional configuration steps and options if necessary: http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html
Enable Debug Logging
If using the new test functionality in the Viewpoint Configuration portlet is not sufficient to troubleshoot a specific LDAP issue, Teradata Viewpoint can be configured to output detailed log information to help diagnose the issue.
You can change back the logging levels when the troubleshooting is complete.
1. Make a copy of log4j.xml. For example: log4j.xml.old.
This file is located at: /opt/teradata/viewpoint/common/classes.
2. Insert the following XML stanzas into log4j.xml. Comment out any similar stanzas, if present.
3. Restart Viewpoint for the logging changes to take effect.
4. View the log output located at VIEWPOINT_DIR/logs/viewpoint.log.
Following is an example:  <logger name="com.teradata.viewpoint.security.container.tomcat.authn">  <level value="DEBUG" /> </logger> <logger name="com.teradata.viewpoint.security.config.XmlConfigLoader">  <level value="DEBUG" /> </logger> <logger name="org.apache.catalina.realm">  <level value="DEBUG" /> </logger> <logger name="org.apache.catalina.realm.RealmBase">  <level value="WARN" /> </logger>
Add Teradata Viewpoint Roles Teradata Viewpoint allows System Administrators to assign permissions by creating classes of users called roles. Various roles are created and each user is assigned to a role allowing each portlet to be controlled with a high level of granularity. For example, a DBA can have permission to abort a query in the My Queries portlet while other classes of users do not have permission.
Teradata Viewpoint includes two pre-configured roles called Administrator and User. Each role can be tailored as needed and additional roles can be added.
Roles can also be modified, deleted, or copied and then modified. To modify, delete, or copy a role, see Teradata Viewpoint Help.
To add a role, assign users to a role, and then enable portlets for a role, see Teradata Viewpoint Help.
Add Teradata Viewpoint Users Before assigning a role to a user, verify the role and user exists. Users can be assigned to roles using either Roles Manager or User Manager. You can also use the LDAP interface. See Managed Servers Configuration on page 15.
Teradata Viewpoint can be configured to monitor certain system level metrics for managed servers, including Teradata Viewpoint itself. These metrics include data on CPU usage, memory usage, system load, swap space usage, and I/O activity. Data that is collected from different managed servers can be viewed using the Viewpoint Monitoring portlet.
To set up monitoring of a managed server, install the tmsmonitor RPM on the server you wish to monitor. See the Teradata Viewpoint Staging Guide.
After the RPM has been installed and the service started, return to the Viewpoint Configuration portlet and use the following procedure to enable Viewpoint to start collecting data on the managed server.
1. In the Viewpoint Configuration portlet, click the MANAGED SERVERS panel.
3. Enter a nickname in the MANAGED SYSTEM NAME field. This nickname will be used by the Viewpoint Configuration portlet to refer to this managed server.
4. [Optional] Select Server enabled to activate the managed system for monitoring.
5. In the HOSTNAME field, enter either an IP address for the managed system or a host name that will resolve by DNS to the managed system. If the tmsmonitor service is running on a port other than the default of 8080, also specify the port number in the HOSTNAME field. For example, viewpoint.acme.com:8088.
6. For the LOGIN Name and Password fields, leave the default values unless the login and password for this managed system have been changed to different values as outlined in the Teradata Viewpoint Staging Guide.
7. [Optional] Click Test, located at the bottom of the screen, to test the tmsmonitor service is accessible and the login and password are correct.
8. Click Apply to save the new managed system. Monitoring of the system begins immediately if the Server enabled checkbox is selected.
To add a user account, assign a role to a user, and modify or delete a user account, see Teradata Viewpoint Help.
Configure Teradata Viewpoint Security Control Access to Portlets
The Portlet Library allows administrators to globally enable or disable portlets. This setting takes precedence over every other portlet permission level. You can browse the list of installed portlets by category, name, and software version, and see if the portlet is enabled or disabled.
To enable or disable portlets, see Teradata Viewpoint Help.
Control Access Within Portlets
The Roles Manager portlet allows Teradata Viewpoint Administrators to configure what roles have permission to access specific functionality for a specific system in each portlet.
To enable or disable permissions, see Teradata Viewpoint Help.
Configure Viewpoint to Log to TVI The default TVI logging configuration assumes Teradata Viewpoint is running on a managed server. If this is the case, no special configuration is needed. However, if Teradata Viewpoint is running on an unmanaged server, it must be configured to send errors using TVI.
Before starting, contact the administrator who set up the TVI Administration Software (TAS) for your system. Find out if the system supports logging to TVI using a queue table. If a queue table has been set up for your system, ask for the login information for this queue table.
Configure TVI to Log Errors
1. Shut down Teradata Viewpoint.
2. Open conf/context.xml to add a data source.
3. Modify the URL, User, and Password according to the TVI queue table login information.
The name of the data source must be jdbc/td_tviqtable.
The following is an example: 
<Resource name="jdbc/td_tviqtable" auth="Container" driverClass="com.teradata.jdbc.TeraDriver" jdbcUrl="jdbc:teradata://yoursystem" user="tvilogger" password="tvilogger"
maxPoolSize="100" minPoolSize="1" acquireIncrement="1" maxIdleTime="120" factory="org.apache.naming.factory.BeanFactory" type="com.mchange.v2.c3p0.ComboPooledDataSource"/>
4. Start Teradata Viewpoint.
5. Do the following:
b. Look for messages that state the following:
TVILogger will write to queue table
Serious errors in Teradata Viewpoint will now be sent through TVI.
Back Up Teradata Viewpoint Databases The Teradata Viewpoint Data Collection Service (DCS) automatically creates snapshot dumps of the Teradata Viewpoint databases on a daily basis. The backup process can be managed in the Viewpoint Configuration portlet. The following options can be specified via this portlet.
Property Name
Default Setting
Enabled Checked to enable the backup process and unchecked to disable it.
checked
Location The location of the backup files, either on the Viewpoint server or on a networked file server. The location of the local backup files is always /data/backup. For a networked backup, enter the host name (or IP address) of the NFS server and the absolute path to where the backups should be written. If local backups are performed, it is recommended a copy of the files be kept off the Viewpoint server to prevent data loss in the event of a catastrophic failure.
Local
Backup time The time of day that the backup process will begin.
12:00 AM (midnight)
Retention days The number of days to keep backups before they are removed.
7
Four databases are stored on a Teradata Viewpoint server:
o lportal
o td_portal
o td_portlets
o dcsdb
Each database has its own nightly backup file.
1. Navigate to the directory where the database backup files are located.
2. Type the following commands: su postgres pg_restore --clean –d <database_name> <name_of_backup_file>
Changing the Session Timeout The session timeout in Teradata Viewpoint is 90 minutes, by default. Use the following procedure to change the default setting.
If you want the sessions to never timeout, set the value to 0.
This setting must be reapplied after a Teradata Viewpoint upgrade.
1. Stop the Teradata Viewpoint portal.
2. Open the following file: /opt/teradata/viewpoint/webapps/ROOT/WEB-INF/web.xml
3. Locate the following and change the 90 minute value to the desired session timeout. <session-config> <session-timeout>90</session-timeout> </session-config>
Ports Used by Teradata Viewpoint Following is a list of ports used by Teradata Viewpoint. Additional ports are required for Teradata Viewpoint clustering. See Additional Considerations on page 50.
Incoming Ports
o 389 (optional for LDAP authentication)
Setting Teradata Viewpoint Server Time The preferred way to set the Teradata Viewpoint server time is to use NTP. See Configure NTP Time Synchronization on page 32.
Caution: If setting the time manually, shutdown the DCS before changing the time to prevent possible data loss that could result if the date is set incorrectly. Ensure the date is correct before restarting the DCS.
1. Type the following command:
yast timezone
2. Select the region using the arrow key.
3. Tab to the Time Zone field and use the arrow key to select the appropriate time zone.
4. Tab to the Change Time or Date field and press Enter.
5. Tab to the appropriate time and date entries and use the backspace key to delete the old value.
6. Enter the new value.
7. Tab through the subsequent entries until finished.
8. Tab to Apply and press Enter.
9. Tab to Accept and press Enter to accept the change.
Configure NTP Time Synchronization To ensure the time on the Teradata Viewpoint server is always accurate, you can configure NTP time synchronization. This is especially important if setting up a Viewpoint cluster because the time between the servers needs to be in sync.
This set up assumes a time server is available on the LAN. If no time server is available, then time will be only synchronized between the Viewpoint servers in a cluster and not a master time source. Use the following procedure for each Viewpoint server.
1. Enable the ntp service by typing the following command: chkconfig ntp on
2. If the customer has a time server, do the following:
a. Open edit /etc/ntp.conf.
b. Add the following line to the end of the file where [host] is the host name of the time server:
server [host]
3. If Teradata Viewpoint is configured in a cluster, do the following:
a. Open /etc/ntp.conf.
b. Add the following line to the end of the file for each Teradata Viewpoint server in the cluster, excluding the current host, where [address] is the IP address of another Teradata Viewpoint server:
peer [address]
4. Start the ntp service by typing the following command: /etc/init.d/ntp start
Teradata Viewpoint Clustering Starting with Teradata Viewpoint 13.0.1, multiple Teradata Viewpoint servers can be clustered together for purposes of high availability and scalability. Each Teradata Viewpoint server in a cluster shares the same users, roles, permissions, preferences, and collected data from monitored Teradata systems. This topic covers the following:
o Cluster Configurations
o Failure Scenarios
o Adding Additional Teradata Viewpoint Servers to the Cluster
o Promoting the Standby Cache Database
o Upgrading PostgreSQL to Enable Clustering
o Additional Considerations
o High Availability configuration
o High Usage configuration
High Availability Configuration: Two Teradata Viewpoint Servers
This is the base configuration for customers that want to set up a Teradata Viewpoint cluster.
The following diagram shows two Teradata Viewpoint servers configured in a cluster. Both Teradata Viewpoint instances point at the same active cache database. A standby cache database is kept up to date with the last minute of data in case of a failure. An active Data Collection Service (DCS) runs on the same Teradata Viewpoint server as the active cache database. The other Teradata Viewpoint server contains a standby DCS that takes over data collection when the active DCS goes down. The Teradata Viewpoint servers share a distributed cache so the state between the Teradata Viewpoint portals remains consistent.
High Usage Configuration: Three or More Teradata Viewpoint Servers
This configuration extends the High Availability configuration to allow Teradata Viewpoint to scale to thousands of concurrent users by adding Teradata Viewpoint servers to the cluster. These added Teradata Viewpoint servers only run the Teradata Viewpoint portal and not the DCS or cache database. Instead, they point to the cluster-wide cache database to access users, permissions, preferences, and collected data. The two additional Teradata Viewpoint servers shown in the following diagram are marked optional as they are not required for high availability. Even though these added servers only run the Teradata Viewpoint portal, they are staged the same as any Teradata Viewpoint server and have the DCS and cache database installed, but not enabled.
Advanced Configuration: Three or More Teradata Viewpoint Servers with Dedicated Cache Database Server
This configuration is for customers that require better cache database performance because of high use or because multiple large/high use Teradata systems are being monitored.
In this configuration, the Teradata Viewpoint portal is not run on the same machine as the active cache database. This provides the cache database more system resources.
Failure Scenarios
Data Collection Service (DCS) Failure (Scenario 1)
If the active DCS goes down, the standby DCS automatically takes over data collection and logs an error to TVI and optionally sends out an email. When the standby DCS detects the active DCS is back online, it stops data collection and continues to operate in standby mode.
Cache Database Failure (Scenario 2)
If the DCS detects that the active cache database is down, the DCS logs an error to TVI and optionally sends out an email. If the problem is not trivial to solve, the System Administrator can promote the standby cache database. Promoting the standby cache database makes the standby cache database become the active cache database. The promotion is broadcast to all Teradata Viewpoint servers and they are automatically redirected to the new active cache database. The standby DCS automatically becomes the new active DCS. After the standby machine is promoted, a new standby cache database needs to be set up by the System Administrator. See Create a Teradata Viewpoint Cluster on page 40.
If the cluster is set up using the Advanced configuration, stop the Teradata Viewpoint portal on the new active cache database server so that it continues to run on a dedicated machine.
Active Teradata Viewpoint Server Failure
This failover scenario is the combination of scenario 1 and 2. The standby DCS detects that the active DCS and cache database are down and logs an error to TVI and optionally sends out an email. If the problem is not trivial to solve, the System Administrator can promote the standby cache database to the active cache database. A notification is broadcast to all Teradata Viewpoint portals so that they are automatically redirected to the new active cache database. The standby DCS becomes the new active DCS. After the standby machine is promoted, a new standby cache database needs to be set up by the System Administrator. See Create a Teradata Viewpoint Cluster on page 40.
If the cluster is set up using the Advanced configuration, stop the Teradata Viewpoint portal on the new active cache database server so that it continues to run on a dedicated machine.
Create a Teradata Viewpoint Cluster
This topic describes how to create a Teradata Viewpoint cluster. Two Teradata Viewpoint servers are required. One will be configured with the active cache database and the other will be configured with the standby cache database. To add additional Teradata Viewpoint servers to the cluster, see Add Additional Teradata Viewpoint Servers to the Cluster on page 45.
System Preparation
1. Check the Teradata Viewpoint software version installed on both servers. Make sure the installed versions are the same and the version installed is at least 13.0.1.
If the version numbers are not the same or the installed version is less than 13.0.1, upgrade the servers to 13.0.1 or later version. See Upgrade to Teradata Viewpoint 13.0.1.x on page 63. The Teradata Viewpoint versions on all servers in a Teradata Viewpoint cluster must be identical.
2. Check the PostgreSQL versions.
Teradata Viewpoint servers staged before the Teradata Viewpoint 13.0.1 release have an older version of PostgreSQL installed that is incompatible with clustering.
Creating a cluster requires PostgreSQL 8.3.5 be installed on both servers.
a. To check the version number of a running PostgreSQL instance, use the following commands:
su postgres psql SELECT version();
b. If the PostgreSQL version is not equal to 8.3.5, see Upgrade PostgreSQL to Enable Clustering on page 47.
3. Determine which server is going to host the active cache database and which one is going to host the standby cache database. The server that is going to host the active cache database can already have existing users, roles, permissions, preferences, and collected data from monitored Teradata systems that will be shared by all Teradata Viewpoint servers in the cluster. Any data on the server hosting the standby cache database will be lost.
4. Configure NTP time synchronization. See Configure NTP Time Synchronization on page 32.
Set Up Cluster Configuration Files
1. On both servers, copy cluster configuration files to /etc/opt/teradata/viewpoint/ by typing the following commands: cp /opt/teradata/dcs/config/local.cluster.properties /etc/opt/teradata/viewpoint/ cp /opt/teradata/dcs/config/distributed.cluster.properties /etc/opt/teradata/viewpoint/ cp /opt/teradata/dcs/config/cluster-protocol-stacks.xml /etc/opt/teradata/viewpoint/
2. Edit /etc/opt/teradata/viewpoint/distributed.cluster.properties on both servers.
a. Set the value of the active.database.host property to the host name or IP address of the active cache database server.
b. Set the value of the standby.database.host to the host name or IP address of the standby cache database server.
For example: active.database.host=viewpoint1 standby.database.host=viewpoint2
3. Edit /etc/opt/teradata/viewpoint/local.cluster.properties on both servers.
a. Set the value of the cluster.hosts property equal to the host names or IP addresses of both Teradata Viewpoint servers separated by a comma. If enabling host authentication (see Additional Considerations on page 50), the cluster.hosts property must only include IP addresses and not host names.
For example: cluster.hosts=viewpoint1,viewpoint2
a. Run /opt/teradata/dcs/bin/clustertest.sh on both servers. This command reads in data from the console.
b. Enter console input and ensure that when Enter is pressed, the text appears on the other server’s console.
c. Enter text on both servers and ensure it appears on the other server when Enter is pressed. If this does not work, check the configuration again in /etc/opt/teradata/viewpoint/local.cluster.properties to see if the cluster.hosts property was set correctly.
d. To enable more debug information, set the cluster.debug.enabled property to true and run /opt/teradata/dcs/bin/clustertest.sh again.
e. Press Ctrl-D on each console to exit.
5. After the test succeeds of the cluster configuration, do the following:
a. Edit /etc/opt/teradata/viewpoint/local.cluster.properties on both servers.
b. Set the cluster.enabled property to true.
6. Restart Viewpoint and the DCS to start them in clustered mode.
Enable PostgreSQL Replication
1. Enable public-key authentication for the postgres user between both servers. On each server, perform the following commands:
a. Assume the postgres user by typing the following commands: cd /data su postgres
b. Generate a public/private key pair by typing the following command: ssh-keygen -t rsa
c. Press Enter three times to accept the defaults.
d. Copy public key to alternate server by replacing [host] with an alternate server’s host name by typing the following command: scp /var/lib/pgsql/.ssh/id_rsa.pub [email protected][host]:/var/lib/pgsql/.ssh/authorized_keys
e. Accept alternate servers authenticity by typing yes and press Enter.
f. Enter root password for alternate server.
g. Test public-key authentication by replacing [host] with an alternate server’s host name by typing the following command: ssh [host]
h. Verify the above command logged into the alternate host without requiring a password.
i. Exit from ssh by typing the following command: exit
j. Exit postgres user by typing the following command: exit
2. Prepare the standby cache database server.
WARNING: Only run the following command on the standby cache database server and not on the active cache database server otherwise you will lose all your data!
a. Stop PostgreSQL by typing the following command: /etc/init.d/postgresql stop
b. Delete existing data on the standby cache database server by typing the following commands: rm -rf /data/postgresql/* rm -rf /data/archive/*
3. On the active cache database server, enable WAL archiving.
a. Edit /data/postgresql/postgresql.conf and look for the WRITE AHEAD LOG section:
o Set archive_mode = on and remove "#" comment from beginning of line.
o Set archive_command = '/opt/teradata/dcs/bin/archive.sh %p %f' and remove "#" comment from beginning of line.
o Set archive_timeout = 60 and remove "#" comment from beginning of line.
b. Restart postgresql by typing the following command: /etc/init.d/postgresql restart
4. Ensure the active cache database server WAL logs are being sent to the standby cache database server's /data/archive folder.
a. On the standby cache database, type the following command: ls /data/archive
You will see files copied there with names like “000000010000000000000000".
b. Open the PostgreSQL log file for the active cache database server located at, where DAY is the current day of the week: /data/postgresql/pg_log/postgresql.log.DAY
c. Look for any archive related errors.
5. Create a base backup of the active cache database on standby cache database server.
a. On the active cache database, start the base backup by typing the following commands: cd /data su postgres psql SELECT pg_start_backup('viewpoint'); \q exit
b. Copy cache database on active cache database server to standby cache database server. This could take a while depending on the size of the database. The rsync command below can be cancelled and restarted at any time and it will start transferring the database where it left off. The [host] value should be replaced with the standby cache database server host name. cd /data su postgres rsync -avtrz --exclude=pg_xlog/* -e ssh /data/postgresql/ [host]:/data/postgresql exit
c. On the active cache database, stop the base backup by typing the following commands: cd /data su postgres psql SELECT pg_stop_backup(); \q exit
6. Start standby cache database in recovery mode. All the following commands should be performed on the standby cache database server.
a. On the standby cache database server, set up the recovery configuration file by typing the following commands: rm -f /data/postgresql/recovery.done cp /opt/teradata/dcs/config/recovery.conf /data/postgresql/ cp /opt/teradata/dcs/bin/recover.sh /data/postgresql/
b. Modify the PostgreSQL init script to not wait for start up.
o Open /etc/init.d/postgresql and remove the -w option from where pg_ctl start is called.
c. Disable WAL archiving.
o Open /data/postgresql/postgresql.conf and look for the WRITE AHEAD LOG section.
o Set archive_mode to off.
d. Start PostgreSQL by typing the following command: /etc/init.d/postgresql start
e. Open the postgresql log file for the standby cache database server located at, where DAY is the current day of the week: /data/postgresql/pg_log/postgresql.log.DAY
f. Look for errors.
Look for output similar to following: Trigger file : /data/postgresql/active Waiting for WAL file : 000000010000001000000013 WAL file path : /data/archive/000000010000001000000013 Restoring to... : pg_xlog/RECOVERYXLOG Sleep interval : 5 seconds Max wait interval : 0 forever Command for restore : ln -s -f "/data/archive/000000010000001000000013" "pg_xlog/RECOVERYXLOG" Keep archive history : 000000010000001000000010 and later
If the WAL log files are being restored, then PostgreSQL replication has been configured correctly.
h. If using SSL for PostgreSQL connections on the active cache database, follow step 3 in the Cluster Security section for the new standby cache database. See Cluster Security on page 50.
Add Additional Teradata Viewpoint Servers to the Cluster
After a cluster has been configured with an active and a standby cache database, additional Teradata Viewpoint servers can be added to the cluster to support a growing number of end users.
1. Stop and disable the DCS by typing the following commands: /etc/init.d/dcs stop chkconfig dcs off
The DCS only runs on the servers hosting the active and standby cache databases.
2. On each existing server in the cluster, edit /etc/opt/teradata/viewpoint/local.cluster.properties and append a comma to the cluster.hosts property followed by the host names or IP address of the Teradata Viewpoint server being added. If using host authentication (see Additional Considerations on page 50), make sure to specify the IP address and not the host name.
3. Copy the current cluster configuration from another Teradata Viewpoint server in the cluster. Replace the [host] value in the following command with the host name or IP address of an existing Teradata Viewpoint server in the cluster. When prompted, enter the root password for the specified host. scp [email protected][host]/etc/opt/teradata/viewpoint/* /etc/opt/teradata/viewpoint/
4. Test communication with the rest of cluster.
a. Run /opt/teradata/dcs/bin/clustertest.sh on all the servers in the cluster. This command reads in data from the console.
c. Enter text on each server and ensure it appears on the other servers console when Enter is pressed. If this is does not work, check the configuration in /etc/opt/teradata/viewpoint/ local.cluster.properties to see if the cluster.hosts property is set correctly.
5. Restart the Teradata Viewpoint portal on the newly configured server.
Promote the Standby Cache Database
In situations where the active cache database goes down and cannot easily be restarted, the standby cache database can be promoted to the new active cache database. After the standby cache database is promoted to the active cache database, the Teradata Viewpoint portals in the cluster and the active DCS will automatically start using the newly promoted cache database.
To promote the standby cache database:
1. Log in to the Teradata Viewpoint server hosting the standby cache database and type the following command to promote the standby cache database: /opt/teradata/dcs/bin/promote.sh
2. Modify the PostgreSQL init script to wait for start up.
a. Open /etc/init.d/postgresql.
b. Add the -w option to the pg_ctl start command on line 131 as follows: pg_ctl start -s -w -p $H -D $DATADIR -o "\"$OPTIONS\""
3. Follow the instructions in Create a Teradata Viewpoint Cluster on page 40 to set up a new standby cache database. This can be done on the server that was previously hosting the active cache database or on an additional Teradata Viewpoint server.
4. If the standby server was set up on an additional Teradata Viewpoint server already in the cluster, reenable and start the DCS by typing the following commands: chkconfig dcs on /etc/init.d/dcs start
5. If the cluster was set up using the Advanced configuration, disable the Teradata Viewpoint portal on the newly promoted cache database host by typing the following commands: /etc/init.d/viewpoint stop chkconfig viewpoint off
Upgrade PostgreSQL to Enable Clustering
Creating a Teradata Viewpoint cluster requires installing PostgreSQL 8.3.5 on the Teradata Viewpoint servers hosting the active and standby cache databases.
Teradata Viewpoint servers staged prior to the release of Teradata Viewpoint 13.0.1 have an older version of PostgreSQL installed that is not compatible with clustering so the PostgreSQL databases on these servers need to be upgraded.
If the server being upgraded has pre-existing data on it that will be used to seed the cluster’s active cache database, this data should be migrated to a Teradata Viewpoint 13.0.1 or later server. See Migrate Pre-existing Data on page 47.
The destination server must be a properly staged Teradata Viewpoint server with PostgreSQL 8.3.5 installed. Do not upgrade the version of PostgreSQL on the source server until the data migration is complete.
Migrate Pre-existing Data
This procedure can take a couple of days depending on how much data has been collected. As a shortcut, you can skip the DCS collected data migration and instead only migrate the Teradata Viewpoint users, roles, permissions, preferences, and configuration. Skipping the migration of DCS data makes the migration process relatively quick.
1. Check to ensure the source and destination servers have the same version of Teradata Viewpoint installed. If the source server has an older version of Teradata Viewpoint installed, upgrade the Teradata Viewpoint software on the source server before continuing with the data migration.
2. On the source server, edit /data/postgresql/pg_hba.conf to allow access from the destination server by adding the following line (replace [IP ADDRESS] with the IP address of the destination server): host all postgres [IP ADDRESS]/32 trust
Note: If it is not the first entry in the pg_hba.conf file, the migration will fail.
3. Reload postgresql configuration on the source server by typing the following command: /etc/init.d/postgresql reload
4. Check to ensure the Teradata Viewpoint portal and DCS are stopped on the destination server.
5. On the destination server, migrate all of the configuration data from the source server by typing the following command (replace [SOURCE] with the IP address or hostname of the source server): /opt/teradata/dcs/bin/migrateconfig.sh [SOURCE]
6. On the destination server, run the DCS database setup script by typing the following command: /opt/teradata/dcs/bin/setupdb.sh
7. Start the Teradata Viewpoint portal and DCS.
Note: If continuing on with the next step, the portal may be slow to function as the data is loaded. During the data migration, historical data slowly starts to appear.
8. [Optional] On the destination server, migrate all of the performance and monitoring data collected by the DCS on the source server by typing the following command (replace [SOURCE] with the IP address or the hostname of the source server): /opt/teradata/dcs/bin/migratedata.sh [SOURCE]
Depending on how much data has been collected, this could take a couple of days. You can safely ignore any warnings during the restore.
Upgrade to PostgreSQL 8.3.5
1. Ensure postgresql is stopped by typing the following command: /etc/init.d/postgresql stop
2. Uninstall postgresql-server by typing the following command: rpm –e postgresql-server
3. Uninstall postgresql by typing the following command: rpm –e postgresql
4. Uninstall postgresql-libs by typing the following command: rpm –e postgresql-libs
5. Obtain the postgresql 8.3.5 packages from one of the following sources:
o Copy packages from Teradata Viewpoint – Open Source Install Packages CD.
o Download packages from the Teradata Software Server. The Teradata Software Server can be accessed from Teradata @Your Service (log in and click the Teradata Software Server link).
a. Select Miscellaneous.
b. From the menu on the left, select Others>Advocated Solutions.
c. Select Viewpoint 13.0.1.
d. Click Submit.
e. Select the packages specified below and enter the required fields.
f. Click Submit to download.
g. Extract the PostgreSQL packages from the downloaded archive.
The postgresql package includes:
o rpm -ivh postgresql-libs-8.3.5-2.1.x86_64.rpm
o rpm –ivh postgresql-8.3.5-2.1.x86_64.rpm
o rpm –ivh postgresql-server-8.3.5-2.1.x86_64.rpm
o rpm –ivh postgresql-contrib-8.3.5-2.1.x86_64.rpm
7. From the command prompt, enter the following command: chkconfig postgresql on
8. Follow the steps in Create a Teradata Viewpoint Cluster on page 40.
Additional Considerations
LAN vs. WAN
The recommended set up of a Teradata Viewpoint cluster is that all cluster members be located on the same LAN.
A Teradata Viewpoint cluster can be set up over a WAN, but a minimum of 16MB of data will be transferred between the active cache database and standby cache database every minute. This amounts to about 23GB a day. Only consider setting up a Viewpoint cluster spanning a WAN if there is adequate bandwidth available.
Cluster Security
Encryption and authentication between the hosts in the Teradata Viewpoint cluster is disabled, by default.
To encrypt all communications between hosts in a cluster and restrict the hosts that are able to participate in a cluster, use the following procedure:
1. Stop all Teradata Viewpoint portals and DCS in the cluster.
2. Enable encryption for messages sent between the hosts in the cluster.
a. Open the following file on every server in the cluster:
/etc/opt/teradata/viewpoint/cluster-protocol-stacks.xml
b. Uncomment the following line: 
3. Enable SSL access to the cache database by running the following commands on the Teradata Viewpoint server hosting both the active cache database and the standby cache database:
a. Change to the postgresql directory: cd /data/postgresql
b. Assume the postgres user: su postgres
c. Generate a certificate signing request: openssl req –new –text –out server.req
d. Enter a PEM pass phrase. It can be anything, but must be at least four characters in length.
e. Press Enter to the rest of the questions. There is no need to enter input.
f. Generate the server key: openssl rsa –in privkey.pem –out server.key
g. Enter the same pass phrase as above.
h. Remove privkey.rpm: rm privkey.pem
i. Create the certificate: openssl req –x509 –in server.req –text –key server.key –out server.crt
j. Change the permissions on the key: chmod og-rwx server.key
k. Open and edit /data/postgresql/postgresql.conf and change the line from #ssl = off to ssl = on.
l. Exit postgres user: exit
m. Restart postgresql: /etc/init.d/postgresql restart
4. Enable the use of SSL when Teradata Viewpoint or the DCS connects to the active cache database.
/etc/opt/teradata/viewpoint/local.cluster.properties
b. Uncomment the following line: #jdbc.options=ssl\=true&sslfactory\=org.postgresql.ssl. NonValidatingFactory
5. Enable host authentication to prevent unknown hosts from joining the cluster.
/etc/opt/teradata/viewpoint/cluster-protocol-stacks.xml
To enable cluster authentication, the cluster.hosts property in /etc/opt/teradata/viewpoint/local.cluster.properties must only contain IP addresses and not host names.
6. Test cluster communication with security enabled.
a. Run /opt/teradata/dcs/bin/clustertest.sh on all the servers in the cluster. This command reads in data from the console.
c. Enter text on each server and ensure it appears on the other server’s console when Enter is pressed. If this is does not work, check the configuration in /etc/opt/teradata/viewpoint/ local.cluster.properties to see if the cluster.hosts property is set with the correct IP addresses.
7. After the cluster communication test succeeds, restart all Teradata Viewpoint portals and DCS in the cluster.
Getting Notifications of Failures
When Teradata Viewpoint detects a failure has occurred that requires the attention of a Teradata Viewpoint administrator, an email can be sent out to a configured list of recipients. Emails will be sent out for the following conditions.
o The active DCS is down.
o The active DCS is restored.
o The active cache database is down.
o The active cache database is restored.
o Cache database replication not working.
1. To configure email alerts the following properties need to be modified in the /etc/opt/teradata/viewpoint/local.cluster.properties file on both the active and standby cache database servers.
o alert.enabled – Set to true to turn on email alerting.
o alert.smtpHost - The hostname of the smtp server that should be used to send emails.
o alert.fromAddress – [Optional] Set the from address that should appear in the email.
o alert.recipients – A comma-separated list of the email addresses that should receive alerts.
2. Test if notifications are working. Note: Firing a test alert is not available.
a. Stop the active DCS.
b. After 30 seconds, restart the DCS.
An email is sent for the active DCS going down and another one for the active DCS recovering. The standby DCS must be up and running for the alerts to be sent.
Ports Used for Clustering
Besides the normal ports required by Teradata Viewpoint, a Teradata Viewpoint cluster uses the ports in the range 22000 to 22010 for cluster communications.
Load Balancing
To make all Teradata Viewpoint portals in a cluster appear as a single host and to protect end-users from a single host failure, a third-party load balancer can be set up to split traffic between the running Teradata Viewpoint portals.
Configuration of a third-party load balancer is outside the scope of this guide.
Configure Teradata Viewpoint SSL Support Enable Teradata Viewpoint for SSL support
Enable users to access the Viewpoint server using an HTTPS connection.
Configure Tomcat for SSL support
To allow HTTPS communication to the Viewpoint server on port 8443:
a. Open the following file:
/opt/teradata/viewpoint/conf/server.xml
2. Save the server.xml file.
[Optional] Configure All Viewpoint Access To Be Over SSL
To force all users of Teradata Viewpoint to access the server using HTTPS:
2. Open /opt/teradata/viewpoint/conf/web.xml.
3. Add the following XML block to the end of the file, immediately before the existing </web-app> tag at the end of the file:
<security-constraint> <web-resource-collection>
</web-resource-collection> <user-data-constraint>
Create a Self-Signed Certificate
If you already have a trusted certificate from a certificate authority such as VeriSign®, skip to Import a Certificate on page 55 to import it. If you do not have a trusted certificate, use the following procedure to create your own self-signed certificate.
1. If you have not already done so, complete the steps to Configure Tomcat for SSL support on page 53.
3. Enter the following command and then follow the instructions on the screen:
keytool -genkey -alias tomcat -keyalg RSA
4. In the What is your first and last name field, enter your server domain name.
5. In the organization unit field, enter your division name.
6. In the organization field, enter your company name.
7. In the city, state, and country field, enter your city, state, and country.
8. Restart Tomcat if it is running.
9. Access the secure version at https://yourservername:8443.
Your self-signed certificate has been created and installed. If necessary, generate a Certificate Signing Request (CSR) and submit it to a Certification Authority (CA) to obtain a signed certificate.
10. After you receive the signed certificate, go to Import a Certificate on page 55 to import it.
Import a Certificate
After you have a signed certificate, use the following procedure to import it into the Java keystore. In the steps below, type the keytool command all on one line with a space where the line breaks are shown.
2. Install the SSL Certificate by typing the following command:
keytool -import -alias tomcat –keystore $JDK5_64_HOME/jre/lib/security/cacerts –trustcacerts –file <your_certificate_filename>
3. Enter the password: changeit.
If you receive any errors while installing the SSL certificate, they are most likely the result of not having a trusted certificate already installed in the cacerts keystore. Refer to the documentation for the Java keytool command for additional configuration steps and options: http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html
Certificates have different requirements for installation; therefore, consult the installation reference for your particular certificate.
Teradata Viewpoint Properties Teradata Viewpoint has a simple key-value properties table which is used to set various configuration options.
Available Properties Property Values Default Effect
Restart Required
viewpoint.shareableportlets. enabledbydefault
true or false false When true, shareable portlets are enabled by default; that is, it is not necessary for an Teradata Viewpoint Administrator to enable the portlet in the Portlet Library.
No
viewpoint.web.caching.dailyexpiry. enable
true or false true When true, web assets such as JS and CSS are given an expiration date of 2:00 a.m. the next morning. The browser will not check again for those assets until that time. When false, the expiration caching is disabled. When disabling caching (for example, before upgrading Teradata Viewpoint), the web assets will change, but the browser will not check for new assets because of the expired tag. When caching is enabled, Teradata Viewpoint only checks this property (to determine whether caching should be disabled) at the switchover time (that is, every day at 2:00 a.m.). D